CVE-2024-1455

Advisory

The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities. This would allow a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser that would compromise the availability of the service. At risk are users that:
- Are running older distributions of python that have older version of libexpat. Expat 2.4.1 and newer are not affected.
- Are using XMLOutputParser with an agent.
- Accept inputs from untrusted sources with this agent (e.g., endpoint on the web that allows an untrusted user to interact wiith the parser).

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6
• https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1455
• https://docs.python.org/3/library/xml.html
• https://github.com/langchain-ai/langchain/pull/19653
• https://github.com/advisories/GHSA-q84m-rmw3-4382
• https://inspector.pypi.io/project/langchain-core/0.1.35/packages/07/d0/1018dfc4263eb895a92fae77582e71d04ffd0b95869a9499b0b4ede51013/langchain_core-0.1.35.tar.gz/langchain_core-0.1.35/langchain_core/output_parsers/xml.py#line.137
• https://python-security.readthedocs.io/vuln/expat-billion-laughs.html